Health Research: the French Data Protection Authority (CNIL) updates its Reference Methodologies (MRs) to reflect current practices and raise compliance standards

The French Data Protection Authority (Commission nationale de l'informatique et des libertés – CNIL) has adopted the long-awaited updated versions of its reference methodologies MR-001 and MR-003, published in the Journal officiel on 23 May 2026 and entering into force on 24 May 2026, together with the publication of two new annexes relating to the quality and security of personal data processing operations carried out in the context of health research. This revision goes beyond mere drafting modernisation; in light of the developments reflected in the text, the CNIL strengthens the organisational and technical requirements attached to reliance on the simplified notification regime, while addressing the increasing digitalisation of research practices. The CNIL justifies this reform not only by the growing number of reported personal data breaches in the health sector, but also by the digital transformation of clinical research practices and the evolution of the applicable legal and regulatory framework.

MRs – a simplified notification regime

In the field of health research, the CNIL reference methodologies (MRs) are a central compliance instrument setting out all personal data protection rules applicable to health research activities. They enable controllers to benefit from a simplified notification regime: where a processing operation complies with all requirements of the applicable MR, the data controller may proceed via a declaration of compliance. Failing this, where even a single provision of the applicable MR is not met, an authorisation request must be submitted, entailing a lengthy procedure before the CNIL.

A more clearly defined scope

The CNIL now expressly clarifies that MR-001 and MR-003 apply to sponsors established outside France, provided that all or part of the data subjects concerned by the processing are located in France. This point, which previously raised interpretative uncertainty, is now expressly resolved.

A further welcome clarification is also included in MR-001 and MR-003 regarding the confirmation of their application to research conducted by a sponsor established in France but for which the data subjects do not reside in France.

The updated texts of MR-001 and MR-003 also now take into account joint controllership and recall the need for each sponsor, in the case of joint controllership, to comply with its obligations under the GDPR and that each must submit its own commitment to comply with the relevant MR to the CNIL.

Broader categories of data, but more compartmentalised access

The revised MRs expand the list of data that may be processed. In addition to previously permitted data, the MRs now allow the collection of patients' place of birth, geographic origin, country, region or department of residence, sexual orientation, as well as vital status and date of death, under the conditions set out in the applicable texts. Notably, the CNIL also permits the collection of the patient's full date of birth among administrative data. Previously, only the month and year of birth were authorised, which created practical difficulties, particularly for reimbursement of research-related expenses by service providers subject to regulatory banking requirements for identity verification requiring a full date of birth. It is now possible to collect the full date of birth for service providers performing administrative functions related to the coverage or reimbursement of transport, accommodation or meal expenses for participants.

While this expansion reflects evolving research protocols and practices, it requires heightened vigilance regarding compliance with the principles of necessity, data minimisation, and scientific justification for each category of data processed.

In parallel, the CNIL clarifies rules relating to recipients and the accumulation of roles. Where the same entities or individuals perform multiple functions, for example participant follow-up, information provision, and certain administrative tasks, the rules require strict physical and organisational separation of functions, data siloing across databases or applications, and tightly controlled access rights based on a strict need-to-know principle. For life sciences companies, this requires a comprehensive review of access structures across clinical, regulatory, pharmacovigilance, support, and vendor teams, in order to identify and remediate potential weaknesses in segregation.

Information to data subjects: More flexible modalities but reinforced technical safeguards

The updated MRs expressly permit the provision of information via electronic means, reflecting established sector practices. While the principle of prior information remains, the CNIL also introduces the possibility of deferred information in validated emergency situations.

The CNIL further clarifies recipients of such information and provides that, for research involving human subjects (RIPH) categories 2 and 3, informing only one parent is permissible.

However, this flexibility in modalities does not reduce the evidentiary burden: controllers must still be able to demonstrate that information has been effectively provided, in an intelligible and secure manner, which may require technical adjustments to existing IT systems.

Confirmed legal bases

The CNIL clearly confirms the applicable legal bases which it considers to be the most appropriate:

• Article 6(1)(e) GDPR: where the sponsor has been entrusted with a research mission by law (e.g., a public research organisation), the legal basis is the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Article 6(1)(f) GDPR: where the sponsor is a private entity (e.g., a pharmaceutical company or medical device manufacturer), the applicable legal basis is the legitimate interests pursued by the sponsor.

As regards the exemption for special categories of data under Article 9 GDPR, the CNIL identifies Article 9(2)(j) GDPR (scientific research purposes) as the most appropriate basis.

Two binding annexes strengthening operational requirements

The update to MR-001 and MR-003 is also distinguished by the introduction of two common annexes to both MR-001 and MR-003: one relating to security and the other to quality control. These annexes have immediate practical relevance, and compliance with their provisions is mandatory in order to be compliant with MR-001 and MR-003.

The security annex notably covers pseudonymisation using non-meaningful codes, the electronic transmission of information notices, and certain modalities for data sharing for the purpose of review or publication of results. The CNIL highlights that the health sector recorded 547 personal data breach notifications in 2024, compared with 16 in 2018, which explains the increase in the expected level of requirements. A compliance roadmap must therefore be anticipated: multi-factor authentication, strongly encouraged by the CNIL for access to research data, will be required as of 1 January 2027 for internet-accessible tools, and from 1 January 2028 for other systems used in the context of research.

The quality control annex is also of significant practical importance. The CNIL sets out and formalises the requirements applicable to this activity, which has become more frequently performed remotely, while maintaining clear limits on access to source documents. For ongoing research at the date of entry into force of the updated MRs, the implementation of remote quality control does not require an authorisation request, provided that the remainder of the research complies with the applicable MR in its 2026 version.

Outsourcing and data transfers

The new versions of MR-001 and MR-003 further strengthen the requirements applicable to processors, whether direct or sub-processors. The CNIL requires that they provide sufficient guarantees, provides for the application of the security annex, and imposes prior audits, including at investigator sites, while allowing such audits to rely on previous audit work; it also specifies that adherence to a code of conduct may facilitate the demonstration of the required guarantees. The direct processor must, in addition, keep up to date the information relating to sub-processors.

With regard to transfers outside the European Union, the texts maintain the principles of necessity and data minimisation and allow the transfer of administrative data in the cases provided for, notably where an adequacy decision exists or, in the context of research conducted abroad, as a transfer back to the country of origin, subject to compliance with Chapter V of the General Data Protection Regulation (GDPR). Here again, research stakeholders must ensure consistency between their actual data flows, their contractual clauses, and their compliance documentation.

Entry into force of the updated MR-001 and MR-003

The updated MRs have been applicable since 24 May 2026. The CNIL indicates that declarations of compliance made under the previous versions remain valid, even where substantial modifications are made in order to comply with the content of the updated MRs. It is therefore not necessary, in such cases, to submit a new declaration of compliance to the CNIL.

The absence of a new declaration of compliance does not exempt organisations from a substantive review of their compliance documentation (information notices, data protection impact assessments, records of processing activities, etc.) where the organisation or security measures do not meet the level of requirements now expected.

Next steps

In light of these developments, health research stakeholders must, without delay, undertake a review of their compliance frameworks in order to identify any gaps with respect to the new requirements of MR-001 and MR-003. This process should focus in particular on access rights management, relationships with processors, international data flows, and security measures, especially in view of upcoming deadlines relating to multi-factor authentication.

The annotated versions of the methodologies published by the CNIL, available in both French and English, constitute a valuable tool in this respect to support compliance efforts. Enriched with practical examples, key points for attention, and operational guidance, they enable organisations to better understand the practical scope of the new obligations and to prioritise the actions to be implemented. The checklists made available by the CNIL alongside the new requirements of MR-001 and MR-003 are also highly useful for documenting compliance.

Our team remains available to assist you in identifying the updated elements, assessing their impact on your processing activities, and determining the steps required to achieve compliance.

Authored by Joséphine Pour, Julie Schwartz, and Gauthier Zimmer.